On Wed, Mar 20, 2013 at 02:04:24PM +0100, Jan-Frode Myklebust wrote:
> On Wed, Mar 20, 2013 at 10:44:10AM +0100, Jakub Hrozek wrote:
> > 
> > This really sounds like a bug. If you encounter a situation like this,
> > where a group does not show all its members, feel free to open a bug.
> 
> I have been experiencing this for quite some time, but I'm struggeling
> with how to give useful bugreports. Right now I tested a ssh-login to
> one of my ipa servers and failed to log in:
> 
>       Mar 20 12:55:13 ipa1 sshd[16112]: pam_access(sshd:account): access 
> denied for user `janfrode' from `login2.example.net'
> 
> then I immediatelty try again, and can successfully log in. The reason
> for pam_access denying access is most likely that my groups isn't
> populated on the first try, but on the second it works.
> 
> I don't seem able to re-produce this issue by stopping/clearing/starting
> sssd, so I suspect it might be the connection between sssd and 389ds
> that has been broken by firewalls between them maybe. We have an evil
> firewall that breaks connections that's been idle for more than 30
> minutes.
> 

Ah, I see. The SSSD *should* reconnect in that case, though.

> Are there hearbeat or keepalive settings in IPA or 389ds that we should
> enable to keep connections alive ?
> 
> > 
> > Bottom line, if you are seeing inconsistent results with ipa backend,
> > please open a bug. This is something that would need fixing right away.
> 
> Don't know if I can call it inconsistent results with ipa backend, or
> just bad broken connection handling within sssd. Any hints for how I can
> provide better bugreports would be appreciated..
> 
> 

I think pasting or attaching SSSD logs would be a good start. Can you
put debug_level = 6 into your sssd.conf into the [pam] and [domain]
sections restart the sssd and then attach /var/log/sssd/sssd_pam.log and
/var/log/sssd/sssd_$domain.log ?

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to